Computer/Information Security blog. Sometimes I will blog about IT too.

Friday, September 4, 2009

Exploiting SAP Business Platforms: The Pen-Testing Analysis

SAP simply stands for "Systems, Applications and Products in data processing". SAP as a unique business solution developer integrates range of solutions including ERP, CRM, GRC, PLM, SCM and many more. The ease of usage, implementation and market reputation has put forward a strong basis for the company (german based) worldwide. Deploying SAP solution is a bit lengthy and complex process and that's why a core security settings left default or unattended. This could results in serious exposure of the SAP platforms and flag a high risk to the organization.

Talking in the specific context of SAP platform, many auditors would like to harden the SAP authorization subsystem (roles and profiles). While hardening the authorization process and segregation of duties is considered vital but there is also another aspect of security which involves technical assessment of all the networked components within SAP environment. Conducting "Penetration Testing" using industry-proven methodology gives more clear outlook for security vulnerabilities and threats in the existing infrastructure. Such as, weakness in configuration may result in business frauds. The typical number of steps followed under SAP Pen-Testing are:

-Discovery (Find the target)-Enumeration (Services running on the platform)-Vulnerability Assessment (Check for the presence of known/unknown vulnerabilities)-Exploitation (Try to gain administrator privileges on the defined system)

The main goal is to achieve the highest possible privileges in the production environment which can be accomplished by:

It worth to mention that "Sapyto" is specially designed as SAP Penetration Testing Framework to cover all aspects of Pen-Testing methodology. And because it is developed in python and C, it is easier port plugins.

Countermeasures

1.Restrict connections to the SAP gateway.2.Restrict access to shared resources. Such that, allow only internal connections.3.Harden the configuration settings.4.Remove/Change the default user accounts.5.Enable "SNC" to protect against evasdropping.6.Good password security should be enforced.7.Access to transactions should be restricted.8.Use SAP authorization object "S_Program" to protect report confidentiality.